我正在尝试将应用程序的
security-roles
映射到tomcat 8.5.13中的ldap组。为了对此进行测试,我正在尝试示例受保护的 tomcat 应用程序。
根据我的发现,我必须将这样的块添加到应用程序的 WEB-INF/web.xml 中:
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>tomcat</role-name>
</security-role>
<security-role-ref>
<role-name>CN=LDAP_GROUP,OU=Groups,DC=<sub_dc>,DC=<dc>,DC=com</role-name>
<role-link>tomcat</role-link>
</security-role-ref>
tomcat
和 role1
在示例应用程序的 auth-constraint
中配置为角色。
这是我在
$TOMCAT_HOME/conf/server.xml
中的 JNDI 配置:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://<ldap_host>:3268"
connectionName="<ldap_bind_dn>"
connectionPassword="<ldap_pw>"
connectionTimeout="3000"
referrals="follow"
userBase="DC=<sub_dc>,DC=<dc>,DC=com"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="DC=<sub_dc>,DC=<dc>,DC=com"
roleSubtree="true"
roleSearch="(uniqueMember={0})"
roleName="cn"
roleNested="true"
/>
</Realm>
我看到根据日志找到了上面
security-role-ref
提到的用户的所有ldap组包括LDAP_GROUP。但是似乎没有使用角色参考。尝试http://<server>:8080/examples/jsp/security/protected/index.jsp
给出:
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Restore request from session 'BB74A040FCCEEEDC150EC5671B6BF7B6'
org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'ldap_user' with type 'FORM'
org.apache.catalina.authenticator.AuthenticatorBase.register Session ID changed on authentication from [BB74A040FCCEEEDC150EC5671B6BF7B6] to [A5735CBE706B62943EB9B29899C0CCCD]
org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Proceed to restored request
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[ldap_user(CN=LDAP_GROUP,OU=Groups,DC=<sub_dc>,DC=<dc>,DC=com,<many_more_ldap_group_DNs>,)]
org.apache.catalina.realm.RealmBase.hasRole Username ldap_user does NOT have role tomcat
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: tomcat
org.apache.catalina.realm.RealmBase.hasRole Username ldap_user does NOT have role role1
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: role1
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test
我已经尝试在
<role rolename="tomcat"/>
中定义和删除$TOMCAT_HOME/conf/tomcat-users.xml
以及在security-role-ref
中定义没有专有名称的LDAP_GROUP,但这没有什么区别。
有什么建议吗?提前谢谢你。